Metasploit.com, Rapid7.com “Hacked” by Palestinian Hackers of KDMS Team

This could be another defacement via DNS hijacking

Palestinian hackers of KDMS Team, the ones that have defaced numerous high-profile domains over the past days through DNS poisoning, have hijacked metasploit.com, the website dedicated to the popular penetration testing software Metasploit. They've also defaced Rapid7's website, rapid7.com.

“Hello Metasploit. After whatsapp, avira, alexa, avg and other sites we was thinking about quitting hacking and disappear again! But we said: there is some sites must be hacked. You are one of our targets. Therefore we are here,” the hackers wrote on the defaced websites.

“And there is another thing. Do you know Palestine? There is a land called Palestine on the earth. This land has been stolen by Zionist. Do you know it? Palestinian people has the right to live in peace. Deserve to liberate their land and release all prisoners from Israeli jails. We want peace,” they added.

It’s uncertain at this point if the hackers have really hacked Metasploit.com and Rapid7.com or if this is another case of DNS hijacking. It’s most likely the second variant.

In any case, I’ve reached out to Rapid7 to find out exactly. The post will be updated when they respond to my inquiry.

Updated to add that Rapid7's website has also been defaced.

Update 2. Rapid7's HD Moore has confirmed that the websites were hijacked through the registrar, Register.com.

“Still having a tug of war with the Rapid7 domains, the attackers have the ability to change ANY Register.com domain, check yours,” Moore warned on Twitter.

It's worth noting that Register.com is owned by Web.com, the same as Network Solutions, the registrar hacked when AVG, Avira and Whatsapp sites were defaced.

Update 3. Rapid7 has provided the following statement regarding the incident:

“This morning the DNS settings for Rapid7.com and Metasploit.com were changed by a malicious third-party. We have taken action to address the issue and both sites are now locked down. We are currently investigating the situation, but it looks like the domain was hijacked via a spoofed change request faxed to Register.com.

We apologize for the service disruption, and do not anticipate any further implications for our users and customers at this time. We will keep everyone posted as we learn more, and let the community know if any action is needed.”